Month: March 2015

Solution to ISIS targeting US Service Members – Arm our Troops!

The internet has been abuzz with the concerning news that ISIS has released a list of US military personal and calling on radical Muslims to attack them. The solution to this problem is simple – Arm our service members…

Contrary to the ISIS claim that the list of service personal released was obtained by hacking military servers, in actuality the list was most likely gleaned from military press releases using nothing more advanced than Google. In all actuality, it is very trivial for someone with even the most basic Open Source Intelligence skills to find out a ton of information on a person including where they live using Open Source Intelligence (OSINT) programs.

The problem with open source intelligence is that the information discovered is not always accurate or up to date. This is apparently what happened as instead of ISIS releasing the address of a Navy pilot, listed the address of a home owned by an elderly couple.

The solution to this problem, as related to me by a retired high level special forces member, is simple. “I think they are seriously underestimating the people they are targeting,” he said. “Many of us have combat experience… and are armed.”

US service members put too much personal information on social media websites and the military releases too much information about troops and what they are doing. In addition to scrubbing this information from websites (which could help but may not be totally effective) the solution is simple. Make it legal for and provide for those targeted with arms!

In the name of political correctness base security has been altered to make them more “civilian friendly”. It is time again to allow our troops on base to carry weapons. Also those service members who have been publicly listed by ISIS should be immediately provided a conceal carry permit for the state that they are in (if they do not already own one).

“Home grown” terrorists will think twice before taking on armed US military personnel.

Grabbing Passwords from Memory using Procdump and Mimikatz

When I was working on my Pulling Remote Word Documents from RAM using Kali Linux article, I was curious if you could use the same technique to pull the system passwords, and you can…

With the help of Mimikatz!

I tried grabbing the lsass.exe process with procdump, just like I did in the previous article, but when I ran strings I didn’t see any passwords. Well, silly me, you wouldn’t! But as the Zena Forensics blog explains, just take the lsass.exe procdump and run Mimikatz on it!

(Sorry Gentilkiwi, you would think I would know better!  🙂 )

Okay, so once we have the procdump of the lsass.exe process saved as lsassdump.dmp like so:

lsass prodump

All we need to do is run the resultant .dmp file through Mimikatz:

  • Run Mimikatz
  • Type, “sekurlsa::Minidump lsassdump.dmp
  • Lastly type, “sekurlsa::logonPasswords

And that is it! Mimikatz works it’s magic on the dmp file and within a second or so we see this:

passwords

Passwords! Wow, this is a really secure Windows 7 system I see…

So if we can get a memory dump of the lsass.exe process (you need to have an administrator level account to do so) we can take our time and pop the passwords out of it at any time (and anywhere) with Mimikatz.

For more information, check out my latest book, “Basic Security Testing with Kali Linux, 3rd Edition” which has a complete chapter on using Mimikatz!

 

Pulling Remote Word Documents from RAM using Kali Linux

Really enjoyed the article on W00tsec about pulling RAW picture images from memory dumps and thought it would be cool if you could use the same process to pull information from a remote system’s memory using Kali – and you can!

In this tutorial we will see how to pull a Word document from a remote machine’s memory, parse it for text and view it in Kali Linux.

The target system is a Windows 7 PC running Office 2010. We will start with a remote metasploit meterpreter shell session already active. So basically we tricked our test system into running our booby trapped file which created a back door to our Kali system.

So we want to grab the remote memory, but we only want the memory in use by the Word process. Following the w00tsec tutorial we just need to use the SysInternals ProcDump command. ProcDump is available from Microsoft’s Technet site, it is part of the SysInternals Suite. This command allows you to pull memory for specific processes.

You may want to grab the SysInternal’s “Strings” program too while you are there. “Strings” is a Windows version of the Linux command that we will be using later.

These programs will need to be uploaded to the target system from Meterpreter.

Next, in the Metasploit DOS shell, type “tasklist” to see what is running on the remote Windows system:

tasklist

Further down the list we see that the user has an open session of MS Word (WINWORD.EXE):

processes

Run the procdump command using the “-ma” switch and the process name “WINWORD.EXE”, lastly we will call the resultant dump file “word” as seen below:

procdump

We now have a memory dump stored on our remote system called “word.dmp”. The file is pretty large, 362 MB, we could just download that file back to our Kali system – but we can shrink it. We are really only looking for text in the memory dump. We have two options here, we can use the SysInternals “Strings” program to work through the data dump and remove all the text from it (significantly reducing the download size) or we can download the whole file en-mass  back to our Kali system and use the Linux “strings” command to parse it.

The choice is yours, but I will say with just using the default program settings in both, the Linux one did a much better job of parsing the file.

But basically the command is the same in both versions, “strings word.dmp > word.txt

Now if we open the resultant text file in Kali, we see a ton of information – System settings, variables that are set on the system, I even found registry keys mentioned. But eventually we will see this (Produced with the Linux strings command):

Kali Strings Result

Compare that to the Word document we have open on the Windows 7 machine:

Original Document

As you can see the Nmap user manual open on our Windows 7 system has been successfully grabbed from memory remotely, and we can now view the text on our Kali system!

I know there are other forensics programs out there that will do basically the same thing, and this is not a forensically sound way of preserving data needed in a legal case, but it is a lot of fun doing this manually and opens up some interesting possibilities!

The best way to defend against these types of attacks are to follow good security practices against social engineering and Phishing type attacks. An attacker would need a remote connection to your system to be able to pull items from your memory. Do not open unknown or unsolicited attachments in e-mails. Be leery of odd sounding links sent to you from a friend’s account and use a script blocker and good AV Internet security program when surfing the web.

Want to learn more about Kali Linux and Metasploit? Check out my book, “Basic Security Testing with Kali Linux“.